From IVP Wiki
Revision as of 15:37, 27 June 2011 by Bill Densmore (talk | contribs)



National Strategy for Trusted Identities in Cyberspace

Privacy Workshop

June 27-28, 2011 / MIT Media Lab / Boston, Mass.

By Bill Densmore

Hash tags: #nstic.mit #nstic

SPEAKER: Keynote and host -- Sandy Pentland, MIT Media Lab

Keynote speaker Alex “Sandy” Pentland, former head of the Media Lab. He is pioneer of the mobile social web:

“Personal data is the new oil of the internet and the new currency of the diital world.” Meglena Kuneva, European Consumer Commissioner.

Telcoms have to collect personal data to make money. “They see this as their way forward. …. Most large media companies see this as their route back to profitability.”

In two years there will be 200 million medicial devices on and inside people, according to executive at Qualcomm.

“All the private data about people coming through one channel . . . that’s the real point of pain here . . . do not be distracted by Facebook or Google.”

SPEAKER: Jeremy Grant: Personal data: The emergence of a new asset class

“The only people you can trust with this data, are the people themselves. People have to have ownership of their data,” he says. So how do you promote ownership of personal data by the people themselves. Key is to think if data as valuable.

“Companies are willing to do this, because if they give you a copy of your data . . . you have the ability to use it in whatever value-producing way you choose.”

  • Privacy-enhancing and voluntary -- user choice of providers
  • Secure and resilient
  • Interoperabie
  • Cost-effective and easy to use

What problems are sought to be solved?

  • User names and passwords are broken
  • Identity-theft costs are rising – 11.7M victims, $17.3B cost over two years
  • Cybercrime is also on the rise
  • Goal: By Jan. 1, 2016 – an identity ecosystem that is interoperable.

Grant says government wants to lead a private sector effort but will not develop an infrastructure itself – rather will collaborate and use private solutions. He quotes President Obama as saying the idea is to not force anyone to give up the anonymity they enjoy on the web if they wish to be anonymous.

Grant: “Government will paricipate in this group … but it does not mean we will lead this effort.” Government wants to advocate for and protect individuals. A June 8 notice of inquiry is due July 22, focused on steering group structure, initiation, representation of stakeholders and international considerations.

They hope to get ideas, lessons and input from stakeholders. Submissions are part of the public record and there will be a public report with recommendatiosn fr addressing, at a minimum, questions raised on the four key issues.

Grant: A few words about privacy

  • Enhancement of privacy a guiding principle
  • Minimum information required to be shared is the idea
  • Preserve positive privacy benefits of offline transactions, mitigate bad aspects

A key objective: Developed improved privacy-protection mechanisms

The executive branch will work with private sector to make sure that identity providers:

  • Limit collection and retention of data, provide notice, minimize data aggregation and linkages across transactions, allow easy deletion by end-user, accuracy standards, allow transfers, accountability about how information is actually used, and privde effective redress mechanisms.

SPEAKER: Naomi Lefkovitz, White House

Lefkovitz is on the national security staff of the executive office of the president.

“I do want to spend a few minutes talking about why NSTIC puts such an emphasis on privacy.”

Obama has placed emphasis on cybersecurity. It is possible to have privacy and secure identities, she believes. The danger is that we could arrive at a system with unprecedented tracking without control by individuals. If not careful: “We will have set in motion this very thing.” But not being proactive, and building privacy protections in at the early stages, the result could easily by an uncontrolled evolution of such unprecedented tracking.

  • What do privacy protections mean? What will be its impact on business? Privacy is a subjective term and concept.

NSTIC not implemented in a vacume. A recognition that we need a comprehensive and integrated approach toward privacy. What NSTIC is calling for is consistent with a larger movement around privacy.

“The administration through NSTIC feels it is possible to have both privacy and more secure online transactions. But it is not inevitable . . . the U.S. government is committed to working with all the stakeholders . . . to making this possible.”

Q&A session

‘’’A person from PayPal wants to know how much is now about the extent to which national office will “certify” an identity provider as accredited for government purposes.’’’ ANSWER: Nothing specific.

Karen Sollins, MIT: Concern that for it to work, businesses have to understand how to make money in it. That is a huge tension in this space. Until we get a better idea of that it is very hard to talk about governance … why are people going to want to go into it. Why are Google and Facebook, who are already providing their own models … what is going to bring them into the folk?

Consumers do ease of use: What are you going to do proactively on site you don’t collect information on? Nothing prevents Google from taking and keeping information. Right now that information is not collected by the federal government. How do we make sure it is not collected by anyone else, either . . . How are you going to ensure the same level of non-collection?’’

Steve Carmody, Brown University, and part of InCommon, a private education federation. There are already trust fabrics and policies for sharing of attributes. NIST is focused on the consumer side. Has there been discussion about accommodating those two different environments?

A: NSTIC not sure if it will be a single framework or many different trust frameworks which are interconnected. That’s something the steering group will tackle.

Jeff W3C – what is strategy for harmonizing globally?

Jamie Clark: OASIS: What about hooks toward anonymity? Are we assuming the anonymity is woven through privacy as a special case. Sometimes private information needed is zero?

A: Middle ground – There might only need to be an assurance that you can buy something, but all they need to know is that you can pay.

Karen Sollins, MIT: Re internationalism, there are many countries with significantly different models of what privacy and identity mean, and who owns data.

A: Agrees that concepts are different around the world. May have to go in baby steps before getting to harmonization. Won’t solve overnight.

Sollins: “My instinct is if we start in our own little vacuume and say we will figure it out later – that won’t work.”

A: That why one of the four questions is specifically on international questions: We don’t have all the answers now. He says a number of nations who issued national identity cards have been in touch with Grant thinking the NSTIC model might be cooler and better.

Is there anything that would prevent government agencies from being partners on the steering committee?

A: That hasn’t been decided yet.

What are the plans for pilots?

A: This year in FY11, (Oct. 1), NSTIC efforts supported out of existing authorities. For FY2011 $24M, including $17.5M for pilots. “We have not yet put out criteria for what selection processes and criteria would be.” Want to stand up a wide range of pilots.

From Tweets: What about government access to IDP datalogs?

Government eschews any central database

A: Grant -- One, there is no central database that is created. The government doesn’t want to own or be in the middle of this …. Could government access third-party databases “that’s a battle that has been going on for years and NSTIC isn’t going to be doing anything to change that …. There is no central database created and the government isn’t going to be doing anything to track that.

First panel starting: Privacy practice: A case study

Two panelists: Kellie Cosgrove Riley (Federal Trade Commission division of privacy and identification), and Don Thibeau, chairmain of the Open Identity Exchange, are walking through a case study.

Cosgrove: One principle they have followed is that use of a third-party credential should not be a requirement for access to government information. There must be another way. There should be notice to the user about what is going on. The process should be “opt-in” (by active choice).

Cosgrove: “If I use my credential … (at multiple government websites) … the identity provider cannot track that.” People don’t want to get tracked across multiple government activities. The commercial identity provider should only use the system for federated authentication.

Cosgrove: Important that if an identity provider goes out of business or is sold there are requirements for continued protection of sensitive data.

Thibeau: Cosgrove has described the “FICAM” program, which preceded NSTIC. FICAM showed that real companies can become engaged in privacy issues. Even Level 1 assurance (the lowest level) is useful.

Thibeau: Talking about standards requires talking about standards. Silicon Valley likes to talk about how slow government works. Thibeau says that is necessary. Standards around privacy and identity in the private sector have also be very slow. OATH is in draft No. 16 and is not finished yet. Open ID 2.0 to Open ID Connect “is very slow, very painful and very tortured.”

Thibeau: “Standards development is a set of compromises between interested parties and it even invokes the P-word – politics.”

Thibeau: Getting consensus will get you to the much-needed network effect. He thinks there is important evolution within the government and on the private-sector side. O-AUTH and Open ID are taking their place alongside Facebook Connect.

There’s a third vector: “And that is what the bad guys are doing. That is the general degradation and trust identity issues on the Internet.” Breach after breach all exploited by the inability of passwords to secure an enterprise or an individual’s privacy and security. “We have this attack vector . . . where we are increasingly working this world . . . where you cannot trust an attachment to an email . . . or caller ID.” The ecosystem is becoming less trustworthy, less commerce, fewer privacy protections. “We do have this third vector, which is going to I think increase the tension and increase the urgency of efforts like NSTIC.”

In the less trusting ecosystem, the first casualty is privacy, and security and trust.

Panelists: Slomovic, Coderre, Stepanovich, Popowycz and Titus via Skype

Panel discussion:

  • Alex Popowycz, vp of info security, Fidelity Investments
  • Amie Stepanovich, national security counsel, Electronic Privacy Information Service
  • Aaron Titus, chief privacy officer, Identity Finder
  • Mark Coderre, head of security architecture, Aetna
  • Anna Slomovic, chief privacy officer, Equifax

Stepanovich (EPIC) : EPIC supports the White House and NIST work on NSTIC. Support the goal of minimizing access to unneeded attributes (pieces of private date). She has three points (I missed the first one):

    • Set up privacy structure to oversee compliance and make sure companies are not overriding what they set out to accomplish. Including independent audits.
    • A need for enforcement when Fair Information Practices Fail. Needs to include a private right of action and indemnity for companies in compliance.

Coderre (AETNA): Study what it is like to have relationship with customers as an identifying party. SAML has standardized the token mechanism. Now they are looking at the quality of the authentication. “We are not going to federate our consumer portal with a weak link.” How can we be sure assurance levels are in place.

An ecosystem of three or more relying parties and identity providers gets messy pretty quickly.

“We’re still going to have a direct relationship with that consumer. How does that get controlled? Privacy within the ecosystem and how does that impact at all the direct privacy that a company would have with a consumer.”

Slomovic (Equifax): Has been in a number of companies. The goal is to translate privacy principles into something that is workable and “checkable.” “We need to have a conversation about the boundaries of the identity ecosystem.” She is on a Kantara privacy working group.

Slomovic: “Where does the identity ecosystem end and the relying party ecosystem relationship with a consumer begin?”

An ecosystem of three or more relying parties and identity providers gets messy pretty quickly.

“We’re still going to have a direct relationship with that consumer. How does that get controlled? Privacy within the ecosystem and how does that impact at all the direct privacy that a company would have with a consumer.”

Slomovic (Equifax): Has been in a number of companies. The goal is to translate privacy principles into something that is workable and “checkable.” “We need to have a conversation about the boundaries of the identity ecosystem.” She is on a Kantara privacy working group. “Where does the identity ecosystem end and the relying party ecosystem relationship with a consumer begin?”

Aaron Titus, (Identity Finder) in San Diego: FIPPS at the 30,000 level can sometimes yield confusing or shocking results. Three potential choke points:

  • If there isn’t an ability of the consumer to negotiate terms for information going into the identity ecosystem, then the holders will create choke points, since they will control the terms.
  • Information outside the identity ecosystem. How is it handled?
  • Identity providers will have access to a vast warehouse of sensitive personal information. “They will be under intense pressure to monetize that information against the interests of the individual.”

Titus: Privacy is a “hollow incantation” when it is used on some websites. “By inducing individuals to log into using their private credential, they would have good reason to assume that any information they would give that third party would be under those same protections.”

Stepanovich: She thinks companies should declare to the ecosystem what they are going to collect. If they then collect information outside of that, there should be a private right of action to fix that.

Titus sees these levels of privacy:

  • Mandate all circumstances
  • Mandate some circumstances
  • Default on
  • Opt-in (default off)
  • Vendors have choice whether to offer functionality

Should this be thought of as a U.S. framework or one which reaches across to other trading partners?

Coderre: Follow the regime being followed by the trust framework providers.

Q-and-A starts

Would the same trust network work for both financial and health data?

Slomovic asks: In the U.S. identity data is not regulated. Should it be? Anybody can start an identity provider “and that would be a completely unregulated enterprise under the current regime as long as their postings and notices are truthful.”

Stepanovich: “The identity ecosystem imagines many indentity providers, everywhere.” It can range from signing into the Pandora music service vs. a health-care service. She wonders if when there is a legally binding privacy relationship between the two parties, should that be outside the control of the identity ecosystem?

Titus: Sometimes we regulate information by type, sometimes by covered entity (as in the health-care field). Blood pressure is regulated under health law, but not if I go to a non medical provider and get my blood-pressure checked. “I would like to see us in the United States switch ., . . to a more consistent regime across the board.”

Coderre: “Without the clear opportunity to work together instead of apart, it stagnates.”

Harry Halpin, W3C: What are the proper parties to bring to the table? There are actions between the end-users device and an identity provider, or between an end user and the service directory are actually more secure. Who are the correct players to be involved? To what extend is that important: Do we want NSTIC to keep identity providers in the cloud or on devices or what?

A: Are the right players at the table and right technologies being considered?

Coderre: Don’t assume that any specific industry is automatically an identity provider or a relying party. See how that pans out. As to audit and assurance – people are looking at FIPPS as principles or policies. You don’t assess that – see if it is in place. Assessment criteria would be vague at this point. Don’t ask the audit question quite yet.

Stepanovich: Ensuring the right people are at the time is the point of the request that is in circulation now from NSTIC leadership.

Popowycz: It’s not feasible to manage security on the end-user device – is it jailbroken?

Titus: This not only a technology issues, it is a policy issue, too. We have learned that we should not carry our social-security card around in our wallets. If I give my identity credential to my wife, is that power of attorney or is it fraud?

Q: If the process has some implication for the outcome, then many international organizations have a different model of how they operate. Having stakeholders at the table plays into that. Look at organizational structure models.

Coderre: Make sure the architecture is done right. That is what needs to be agreed to. “Because that will give you the long-term stability that NSTIC will need.”

John Bradley: OpenID and Kintara: Identity providers are skeptical. Information Cards are dead because no relying parties wanted to use them because they didn’t get enough information. “The notion of people using static PKI certs is largely a dead issue from a relying party point of view. …. Government websites are now taking Facebook IDs. …. There seems to be more focus on creating rules for identity providers rather than for relying parties . . . most of the linkages happen at the relying party . . . are we ignoring where most of the linkage is happening – bad relying parties who are basically collecting people’s information and spamming with it.”

Coderre: Do you use tobacco as a question has one context in the health industry and another in the insurance industry?

Slomovic: Do there need to be rules for relying party’s use of data? The answer is use. If you allow your users to log into your site with Facebook, you agree to a bunch of rules about how that experience will work and the information you will get.

(Observation by Bill Densmore: So here the rules are made by the sole identity provider – Facebook --- rather than by a framework provider).

Popowycz: Need to make sure rules are clear and unambiguous.

Titus: Question brings out the difference between retail privacy and wholesale privacy. If behind the scenes stuff is being traded, the retail privacy is illusory because I’ve lost my wholesale privacy. “That is a very realistic risk – we will gain retail privacy at the risk of wholesale privacy.”